Up until today, my VMWare started crashing. When I startup the vmware i get
bha errors.
When I click anything related with explorer.exe on the desktop (such as opening folder, copy and paste, open control panel), i get a dialog box that says it encountered a problem. In the error signature:
Appname: explorer.exe ModName:shdocvw.dll.
In order to get files to the desktop, I had a shared folder, and i was able to get file by opening VLC Media player, and by clickiing open file dialog box, i go all the way to the shared folder and copied to the desktop with no problem. I ran MalwareBytes anti-malware and it says no problem.
I ran hijackthis, and pasted it in hijackthis.de, it also says no problem.
I went ahead and ran combofix. It found my
1. System file is infected!!
c:\Windows\system32\mshtml.dll
Successfully restored
2. System file is infected!!
c:\Windows\system32\es.dll
Successfully restored
3. System file is infected!!
c:\Windows\pchealth\helpctr\binaries\pchsvc.dll
Successfully restored
Now, the VM restart into a BSOD
*** stop: 0x00000083(0xc0000005, 0x80637191c, 0xb9c029d0,0x00000000)
The only way i can access the windows is going into safe mode.
When i do go in, i get a dialog box:
16 bit MS-DOS Subsystem
c:\windows\system32\rundll32.exe
The NTVDM CPU has encountered an illegal instruction
CS:055e IP:2369 OP:63 00 6f 00 6d Choose 'Close' to terminate application
Can it still be saved?
Hope someone out there can help me.
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:48:33 PM, on 9/24/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
C:\Program Files\Common Files\Siemens\ace\bin\SCSMX.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [S7UB Start] "C:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" -StartDB
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [VMware Tools] "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
O4 - HKLM\..\Run: [VMware User Process] "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
O4 - HKLM\..\Run: [WinCC flexible Smart Start] "C:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DuckCapture] "C:\Program Files\DuckLink\DuckCapture\DuckCapture.exe" /autorun
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O20 - Winlogon Notify: VMUpgradeAtShutdown - VMUpgradeAtShutdownWXP.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Automation License Manager Service (almservice) - Unknown owner - C:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
O23 - Service: CCAgent - SIEMENS AG - C:\Program Files\Common Files\Siemens\ACE\bin\CCAgent.exe
O23 - Service: CCEClient - SIEMENS AG - C:\Program Files\Common Files\Siemens\ace\bin\CCEClient.exe
O23 - Service: CCEServer - SIEMENS AG - C:\Program Files\Common Files\Siemens\ace\bin\CCEServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (WINCCFLEXEXPRESS) (MSSQL$WINCCFLEXEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\Opcenum.exe
O23 - Service: RedundancyControl - SIEMENS AG - C:\Program Files\Common Files\Siemens\ace\bin\RedundancyControl.exe
O23 - Service: RedundancyState - SIEMENS AG - C:\Program Files\Common Files\Siemens\ace\bin\RedundancyState.exe
O23 - Service: S7 Global Services (s7asysvx) - SIEMENS AG - C:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
O23 - Service: SIMATIC IEPG Help Service (s7oiehsx) - SIEMENS AG - C:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
O23 - Service: S7TraceServiceX - SIEMENS AG - C:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
O23 - Service: SCSMonitor - SIEMENS AG - C:\Program Files\Common Files\Siemens\ace\bin\SCSMX.exe
O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - Cortado AG - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
O23 - Service: TP VC Gateway Service (TPVCGateway) - Cortado AG - C:\Program Files\VMware\VMware Tools\TPVCGateway.exe
O23 - Service: U7Service - SIEMENS AG - C:\Program Files\Siemens\Step7\S7bin\u7csvrax.exe
O23 - Service: VMware Tools (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
O23 - Service: VMware Physical Disk Helper Service - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmacthlp.exe
--
End of file - 6360 bytes